An OT executive said on Wednesday that addressing the future world of IT and OT converged environments needs to be done thoughtfully and carefully, in addition to conducting risk assessment in line with latest industry guidelines.
Speaking at the GovWare 2021 virtual conference, Dick Bussiere, Tenable‘s technical director for APAC also said that to deliver complete OT (operational technology) security, organizations must adopt complete access and privilege management, commercial-off-the-shelf (COTS) device inventory and management, and OT device inventory and management.
The GovWare Conference 2021 was held Oct 5-7 with the support of the Cyber Security Agency of Singapore (CSA) and community partners across the region. The virtual event provided an opportunity to the global cybersecurity community with over 50 expert-led keynotes and track sessions from industry-leading innovators and the critical information infrastructure (CII) sector, including FireEye, SolarWinds, and ST Engineering. Industrial Cyber was a media partner for the event.
Addressing the cultural divide between IT and OT environments, Bussiere said that it is important for OT owners and operators to understand fundamental cybersecurity concepts and that their key performance indicators (KPIs) may be challenged due to increased threat surface, as the infrastructures converge making them susceptible to attacks. Organizational KPIs must be met by both IT and OT stakeholders.
“So, as I introduce more connectivity into the operational technology environment, there is a higher probability that they will have disruptions through the cyber-attack or other forms of disturbance,” Bussiere said. He also said that the OT operators need to accept the fact that some instrumentation and cybersecurity devices must be installed in their domains.
Citing the challenges in the OT environments, Bussiere said that keeping infrastructure running 7x24x365 takes skill, discipline, and years of experience. Acknowledging that the cybersecurity gaps exist in most OT infrastructure, he said that these gaps introduce risks as convergence accelerates.
Bussiere also called upon OT security teams to understand that IT typically ‘owns’ security initiatives and that the IT security practices clearly benefit the OT KPIs of safety, availability, and quality. He also suggested that these practices may be expressed from an OT perspective. Turning to the IT security teams, Bussiere called for the understanding of fundamental OT concepts and OT KPIs, in addition to recognizing ‘why’ practices unthinkable in an IT environment may be common in an OT environment and adapt to that.
He also advised the OT sector to create a baseline of networking activity and closely monitoring for changes and indications of compromise. He also suggested the isolation of un-patchable critical systems, so that they have minimal to no network connectivity, and setting up ‘vertical segmentation’ zones that help to prevent threats from propagating. He advised organizations to patch what they can when they can while employing compensating controls in environments that they cannot patch.
The OT environment should only contain the bare minimum software that is required to operate the processes, Bussiere said. He also called upon organizations to ensure that the right level of visibility, security, and control prevails across the converged attack surface so that threats and vulnerabilities can be detected and mitigated before damage occurs.
He also said that risk assessment guidelines released by the Cyber Security Agency of Singapore (CSA) help organizations identify assets, define the likelihood of the asset to being compromised, define impact if the asset were compromised, assess tolerance, and roles and responsibilities.
Identifying the OT-specific risks, Bussiere said that the safety of life, limb, and property is one of the most important parameters. The physical impact of any threat as the cyber-physical assets are being manipulated, and the impact of propagation of an attack from one system or area to another, can be either digitally or physically. He also suggested that risk assessment take upon a holistic business-oriented approach.
At another session at the conference, Matthew Loong, KPMG’s associate director, focused on the increasing cybersecurity threats to OT environments to analyze the distinct markers that affected industrial control system (ICS) owners, with a distinct analysis on using Cyber Process Hazard Analysis (C-PHA) to analyze the risks.
The International Electrotechnical Commission (IEC) 61511 Functional Safety standard now requires a safety instrumented system (SIS) security risk assessment. The agency published a technical report that documents a SIS cybersecurity risk assessment procedure, called cybersecurity PHA or cyber PHA. The link to PHA is a step in the cybersecurity risk assessment process to review the output of the PHA to identify worst-case health, safety, security, and environmental (HSSE) consequences for the asset, and identify any hazard scenarios where the initiating event and all control barriers are ‘hackable.’
KPMG had in a recent report on how to identify threats, plug security gaps and proactively avoid the next shutdown for oil and gas, power plants and other industrial facilities suggested that once the ICS has been properly designed, a C-PHA can be conducted.
The Cyber Hazard and Operability (CHAZOP) method involves dividing the entire process into sections. Each section has its distinct function that results in a property or characteristic change in the process feed. Another method, Bowtie which is based on the Swiss cheese model of accident causation used in risk analysis and management, also aims to prevent cyber-physical attacks by putting in place barriers that prevent a threat source from causing an event. It also prevents or reduces negative impact by creating post-event barriers.